3 Simple Myths and Misunderstandings About Social Engineering: Why Most Anti-Phishing Advice Is Wrong

Phishing was first identified on the AOL network in 1996, where I was among the first individuals to have my account/screen name impersonated across emails, chat rooms, and instant messaging. Despite this early instance proving that phishing attacks are not restricted to just email, the vast majority of the advice given out today is fundamentally flawed. This fact is one of the reasons why every year since 2016 has been recorded as the worse year on record for phishing. If the security industry had an effective way to tackle phishing attacks, this wouldn’t be happening. And ProofPoint wouldn’t have felt the need to acquire an anti-phishing awareness training company.

Here’s a breakdown of commonly offered anti-phishing advice that is not just incorrect but dangerously misleading.

Don’t Click Links That Look Suspicious

Why It’s Misguided:

Telling people not to click on “suspicious-looking” links inadvertently gives them the confidence to click on links that appear legitimate. You might argue this is semantics, but phishing is about exploiting human psychology, which is overwhelmingly a game of semantics and nuances that appear unimportant, but are everything to a criminal. The reality is that successful phishing attacks use links that don’t look suspicious at all. Furthermore, even legitimate marketing links can often look suspicious, confusing the issue further.

Don’t Trust Messages That Give Off a Sense of Urgency

Why It’s Misguided:

Brands frequently send marketing communications that encourage quick action, imbuing their messages with a sense of urgency. This is a common marketing tactic, so advising people to be wary of urgent messages can lead to confusion and possibly the ignoring of legitimate communications. Take a look at the image attached to this post. I received that by email this morning. Should every customer ignore it because there’s a sense of urgency in the call to action?

Make Sure the Sender Is Who You Think It Is

Why It’s Misguided:

Phishing is fundamentally designed to deceive you into believing the sender is a trusted person or entity. Therefore, this advice is a paradox. It’s asking you to validate the sender, which is precisely what the phisher wants you to believe you’re doing. In essence, it defeats the purpose of the warning.

Revising the Paradigm with Psychology and Zero Trust:

Most anti-phishing advice fails because it overlooks the semantics and nuances being used by cybercriminals. In reality, an individual with a background in psychology is likely better equipped to dissect the mechanics of phishing than a cybersecurity engineer.

👉🏻 For further reading, check out this brief article where I discuss why phishing is neither new nor sophisticated.